RE: Other certs extension

["Kemp, David P." <DPKemp@xxxxxxxxxxxxxx>]

(never post before reading the entire thread :-) ...

- The technical need articulated in the I-D is for a permanent
identifier, i.e. a reference that doesn't change even if an entity
providing a service such as a web form field database gets a new DNS
name.  PI isn't just about N-R.

- If you cannot rely on DNS to link multiple instances of a single
entity, and you cannot rely on some other assigner authority to provide
that linkage, then you cannot have a service that will safely allow
state to be shared among those instances.  If you offer such a service
using the new I-D or any other extension (SAN or PI), I'd be happy to
request a cert linking myself to your service, and with no CA or other
assigner authority to stop me, I'd succeed.

In short, the new I-D, if it goes forward, should present a new use case
for existing extensions.  It should not define a new extension.

Dave


-----Original Message-----
From: Stephen Farrell

My earlier response on this was (and still is):

"
- I don't think there's a technical need for a permanent identifier for
   this purpose (as I understand it N-R is the main motivator for 4043)
- I'm not sure that there are any real assigner authorities and
   depending on a new name space might just make the problem at hand
   worse
- I've no idea whether 4043 is widely supported or not (mind you, the
   proposed new extension isn't even implemented so that's less of a
   concern)

However, I do agree that were 4043 used, it could solve the problem
at hand, so even if the new extension does go ahead, the spec should
call that out."